Headline
GHSA-fppq-f2m6-xv5c: Improper Authorization vulnerability in Magento and Adobe Commerce
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-24434
Improper Authorization vulnerability in Magento and Adobe Commerce
Critical severity GitHub Reviewed Published Feb 11, 2025 to the GitHub Advisory Database • Updated Feb 12, 2025
Package
composer magento/community-edition (Composer)
Affected versions
>= 2.4.8-beta1, < 2.4.8-beta2
>= 2.4.7-beta1, < 2.4.7-p4
>= 2.4.6-p1, < 2.4.6-p9
>= 2.4.5-p1, < 2.4.5-p11
< 2.4.4-p12
Patched versions
2.4.8-beta2
2.4.7-p4
2.4.6-p9
2.4.5-p11
2.4.4-p12
composer magento/project-community-edition (Composer)
Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-24434
- https://helpx.adobe.com/security/products/magento/apsb25-08.html
Published to the GitHub Advisory Database
Feb 11, 2025
Last updated
Feb 12, 2025